What is risk management in a security context, and why is it framed as a process?
It's the continuous practice of identifying, assessing, and treating risks — ongoing because the threat landscape never stops changing.
* Risk management as a continuous cycle: identify, assess, treat, review. *
Risk management means systematically asking: What could go wrong? How likely is it? How bad would it be? What do we do about it? — and then choosing to mitigate, transfer (e.g. insurance), accept, or avoid each risk.
It's a process, not a one-off, because new threats, systems, and business changes constantly create new risks. A risk assessment from two years ago is stale. Hence organizations run a recurring risk-management process with periodic review.
Tip: You can never reach zero risk — the goal is to reduce risk to an acceptable level given your resources, and to consciously decide which residual risks to accept.
Go deeper:
IT risk management (Wikipedia) — the continuous identify/assess/treat cycle applied to IT.